EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Microsoft 365 outage drags on for nearly 10 hours
Microsoft blamed "a portion of service infrastructure in North America that is not processing traffic as expected."
Judging by the slowdown in complaints, services seemed back up and running for many. Some users disagreed, with one posting: "Our tenant is still unable to receive external email. I do not think this is resolved."
Verizon’s Response to Its Massive Outage Is What No Company Should Ever Do
Verizon customers experienced a massive outage that left them without service for much of their day. At its peak, more than 1.7 million users reported problems. The nationwide outage paralyzed businesses, disconnected families, and generally caused the kind of chaos that happens when the one thing we all rely on suddenly vanishes.
Then I read Verizon’s statement again, and I realized Verizon wasn’t just apologizing. They were executing a cynical business maneuver disguised as customer service. Here’s what I mean. The Verizon applogogy statement offered a $20 credit “can be easily redeemed by logging into the myVerizon app to accept.” Think about that. Verizon has the capability to push a button and instantly apply a $20 credit to every single impacted account without the customer lifting a finger. But instead, Verizon is requiring you to actively “claim” your apology. This is the one thing no company should ever do when trying to recover from a self-inflicted crisis: introduce friction into the remedy.
By forcing customers to log into the myVerizon app to “accept” the credit, Verizon is doing two things, neither of which has anything to do with “excellence.”
First, they are betting on the fact that a bunch of people will never accept the credit. In the gift card and rebate industry, “breakage” is the term for the percentage of value that goes unredeemed. Verizon knows that a significant portion of their customer base—perhaps millions of people—will either miss the text message notification, forget to log in, not remember their app password, or simply decide that jumping through hoops isn’t worth twenty bucks. Every customer who fails to navigate this unnecessary friction saves Verizon money.
Second, they are leveraging a disaster of their own making to drive engagement metrics. They are forcing millions of users to open the myVerizon app, juicing their monthly active user (MAU) stats. Using a service failure as a growth hack for app engagement is a breathtakingly cynical move.
The contrast in how they view their customer base is made even starker later in the same update. Verizon notes: “Our business customers will be contacted directly about their credits.”
[rG: The outage lasted over 7 hours and was caused by 5G network software update issue.]
Sorry Dave, I’m afraid I can’t do that! PCs refuse to shut down after Microsoft patch
Emergency fix, KB5077797, landed on January 17 for Windows 11 version 23H2 and is aimed squarely at cleaning up the mess left behind by the regular monthly update earlier in the month. That update, left some systems stubbornly refusing to shut down, restart, or hibernate, with shutdown commands frequently shrugged off by the operating system.
On affected systems – typically builds where Secure Launch is enabled by default – machines would go through the motions of shutting down, then either sit there humming away or spring back to life. That translated into laptops quietly draining overnight and desktops burning power long after everyone had gone home.
Microsoft is advising affected users to install KB5077797 to address the shutdown and Remote Desktop problems. For everyone else, it's another reminder that even routine monthly updates can carry side effects, and that problems introduced in the name of security may only surface once patches are widely deployed.
ShinyHunters claims Okta customer breaches, leaks data belonging to 3 orgs
Okta Threat Intelligence warned customers about criminals using voice-phishing kits and campaigns to target victim organizations' Google, Microsoft, and Okta accounts.
The criminals leaked data allegedly stolen from market-intel broker Crunchbase, streaming platform SoundCloud, and financial-tech firm Betterment, and confirmed that they gained access to two of the three by voice-phishing Okta single-sign-on codes.
They also claimed to have broken into "a lot more" companies in the Okta campaign than the two they leaked on Friday.
SoundCloud in December confirmed it had been breached and the crooks accessed data belonging to about 20% of its users, which translates to about 28 million people.
Okta Blog: Crims hit the easy button for Scattered-Spider style helpdesk scams
These kits are sold as a service to "a growing number" of digital intruders targeting victims' Google, Microsoft, and Okta accounts, and they include real-time assistance to miscreants looking to intercept users' credentials and multi-factor authentication codes. The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees. This creates a more compelling pretext for asking the user to share credentials and accept multi-factor authentication challenges.
While the victim is still on the phone, the attacker uses the compromised credentials and attempts to log in to the victim's account, noting whatever MFA challenges are used and updating the phishing site in real-time. The attacker then asks the victim to enter a one-time password, accept a push notification, or complete a different type of multi-factor authentication (MFA) challenge.
Ingram Micro admits summer ransomware raid exposed thousands of staff records
Ingram Micro disclosed that a July 2025 ransomware attack compromised the personal data of tens 42,521 employees and job applicants. Ransomware group SafePay claimed responsibility for the attack, allegedly stealing 3.5 TB worth of Ingram's files. The attack took place on July 2, and that Ingram Micro detected it a day later, before shutting its systems down. Ingram partially resumed orders within days of the intrusion. Basic personal information such as names, contact information, and dates of birth were exposed, as were identity document numbers such as those for passports, driver's licences, and Social Security numbers. Ingram Micro but issued a statement confirming ransomware was involved.
[rG: Fail taking six months to notify affected persons that their sensitive information was exposed and could have been being used for scams and identity theft.]
Everest ransomware gang said to be sitting on mountain of Under Armour data
Have I Been Pwned (HIBP) says 72.7 million accounts registered with Under Armour were affected by an alleged ransomware attack in November. The data breach platform ingested the files that were leaked by a member of the Everest ransomware group on January 18 via a cybercrime forum. According to HIBP's post from Tuesday, names, email addresses, dates of birth, genders, geographic locations, and details of previous purchases were leaked. The athletic apparel giant has not yet acknowledged the alleged leak. Law firm Chimicles Schwartz Kriner & Donaldson-Smith filed a proposed class action lawsuit soon after Everest posted the first details of its claimed attack.
Many Bluetooth devices with Google Fast Pair vulnerable to “WhisperPair” hack
Fast Pair is widely used, and your device may be vulnerable even if you’ve never used a Google product. The bug affects more than a dozen devices from 10 manufacturers, including Sony, Nothing, JBL, OnePlus, and Google itself. Google has acknowledged the flaw and notified its partners of the danger, but it’s up to these individual companies to create patches for their accessories.
Once an attacker has forced a connection to a vulnerable audio device, they can perform relatively innocuous actions, such as interrupting the audio stream or playing audio of their choice. However, WhisperPair also allows for location tracking and microphone access. So the attacker can listen in on your conversations and follow you around via the Bluetooth device in your pocket.
WhisperPair is even more problematic because you cannot disable Fast Pair functionality on supported devices. The only thing you can do is install the companion app and wait for an update. Google says it pushed a phone update to partially protect devices devices, but it was a simple matter to find a workaround for that patch. It may take weeks or months for all the affected devices to be fully fixed.
If you’re worried someone has used this flaw to gain access to your headphones, all you can do is factory reset them, forcing the attacker to redo the hack. It’s also smart to keep the official app installed so you can get firmware updates as soon as they’re available.
[rG: Think of all the apps now needed for personal software enabled devices: cooking thermometer, light bulbs, thermostats, robovacs, garage doors and home security, kitchen appliances, automobiles, medical/health monitors, automotive, …]
FortiGate firewalls hit by silent SSO intrusions and config theft
This activity stemmed from two critical authentication bypass bugs (CVE-2025-59718 and CVE-2025-59719) that let attackers bypass SSO login checks via specially crafted SAML responses. Patches for those were shipped last December, but Arctic Wolf's advisory follows a growing wave of reports from administrators who believe attackers are exploiting a patch bypass for CVE-2025-59718 to compromise firewalls that were already thought to be fixed.
Affected admins say Fortinet has privately acknowledged that FortiOS 7.4.10 does not fully remediate the SSO authentication bypass, despite the issue being flagged as patched with the release of FortiOS 7.4.9 in early December. Several customers report seeing intrusions on fully updated systems.
Crims compromised energy firms' Microsoft SharePoint accounts, sent 600 phishing emails
Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and then send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations.
Attackers likely used previously-compromised email addresses to gain initial access. These emails contained a SharePoint URL requiring user authentication and subject lines such as "New Proposal - NDA" to make them appear legitimate. People who clicked on the URL were redirected to a website that required them to enter user credentials, thus giving the criminals valid usernames and passwords to use in later stages of these attacks.
Then, the attackers signed in to the compromised accounts with another IP address and created an inbox rule to delete all incoming emails and mark all the emails as read. And from these compromised inboxes, the miscreants sent out new phishing emails - in one case involving more than 600 emails sent with another phishing URL.
Even if the compromised user's password is reset and sessions are revoked, the attacker can set up persistence methods to sign-in in a controlled manner by tampering with MFA. For instance, the attacker can add a new MFA policy to sign in with a one-time password (OTP) sent to the attacker's registered mobile number.
Microsoft suggests enabling conditional access policies that evaluate sign-in requests using additional identity-driven signals like user or group membership, IP location information, and device status. If these signals trigger a security alert, the suspicious sign-in is denied.
Reprompt: A single click mounted a covert, multistage attack against Copilot
Recently patched, the attack and resulting data theft bypassed enterprise endpoint security controls and detection by endpoint protection apps.
The net effect of their multistage attack was that they exfiltrated data, including the target’s name, location, and details of specific events from the user’s Copilot chat history. The attack continued to run even when the user closed the Copilot chat, with no further interaction needed once the user clicked the link, a legitimate Copilot one, in the email.
A maliciously crafted URL is appended at the end with a series of detailed instructions in the form of a q parameter, which Copilot and most other LLMs use to input URLs directly into a user prompt. When clicked, the parameter caused Copilot Personal to embed personal details into web requests.
US gov’t: House sysadmin stole 200 phones, caught by House IT desk
Christopher Southerland was working in 2023 as a sysadmin for the House Committee on Transportation and Infrastructure. In his role, Southerland had the authority to order cell phones for committee staffers, of which there are around 80. But during the early months of 2023, Southerland is said to have ordered 240 brand-new phones.
At some point, at least one of the phones ended up, intact, on eBay, where it was sold to a member of the public. When the phone booted phone, it did not display the expected device operating system screen but instead “a phone number for the House of Representatives Technology Service Desk.” The phone buyer called this number, which alerted House IT staff that government phones were being sold on eBay.
London boroughs limping back online months after cyberattack
Hammersmith & Fulham Council says payments are now being processed as usual, two months after a cyberattack that affected multiple boroughs in the UK's capital city. The council's status page indicates most services are available, although some remain down, and those seeking support on the phone could face lengthy waits.
Ancient telnet bug happily hands out root to attackers
A recently disclosed critical vulnerability in the GNU InetUtils telnet daemon (telnetd) is "trivial" to exploit. The bug, which had gone unnoticed for nearly 11 years, was disclosed on January 20 and is tracked as CVE-2026-24061 (9.8). It was introduced in a May 2015 update, and if you're one of the few to still be running telnetd, patch up, because attacks are already underway.
HACKING
Don't click on the LastPass 'create backup' link - it's a scam
LastPass vaults contain customers' most sensitive information - usernames, passwords, credit card details, and secure notes - protected by a single master password. This makes LastPass a constant target for criminals who can use these details for all sorts of financial and identity fraud.
The latest phishing campaign began around January 19 with emails being sent from several addresses with multiple subject lines. All of these are about LastPass maintenance, and they all urge customers to back up their vaults within 24 hours.
VoidLink: Never-before-seen Linux malware for Cloud is “far more advanced than typical”
VoidLink is a comprehensive ecosystem designed to maintain long-term, stealthy access to compromised Linux systems, particularly those running on public cloud platforms and in containerized environments.
VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service hosts the machine, VoidLink examines metadata using the respective vendor’s API.
AI-powered cyberattack kits are 'just a matter of time,' warns Google exec
It probably won't be for a few years to come, but cybercriminals are already using AI to enhance small parts of their workflows, and it won't be long before a full, end-to-end toolkit is developed.
For the price of Netflix, crooks can now rent AI to run cybercrime
Dark LLMs – self-hosted language models built for scams and malware rather than polite conversation - sell for as little as $30 a month, with more than 1,000 users between them. Unlike jailbroken mainstream chatbots, these things are meant to stay out of sight, run behind Tor, and ignore safety rules by design.
Synthetic identity kits, including AI-generated faces and voices, can now be bought for about $5. Deepfake fraud caused $347 million in verified losses in a single quarter, including everything from cloned executives to fake video calls. In one case, the firm helped a bank spot more than 8,000 deepfake-driven fraud attempts over 8 months.
Mandiant releases rainbow table that cracks weak admin password in 12 hours
The database works against Net-NTLMv1 passwords, which are used in network authentication for accessing resources such as SMB network sharing.
Despite its long- and well-known susceptibility to easy cracking, NTLMv1 remains in use in some of the world’s more sensitive networks. One reason for the lack of action is that utilities and organizations in industries, including health care and industrial control, often rely on legacy apps that are incompatible with more recently released hashing algorithms. Another reason is that organizations relying on mission-critical systems can’t afford the downtime required to migrate. Of course, inertia and penny-pinching are also causes.
Mandiant said it had released an NTLMv1 rainbow table that will allow defenders and researchers (and, of course, malicious hackers, too) to recover passwords in under 12 hours using consumer hardware costing less than $600 USD.
APPSEC, DEVSECOPS, DEV
NIST begins overhaul of SP 800-82 to strengthen OT cybersecurity guidance, align with updated NIST frameworks
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has kicked off a revision of SP 800-82 Rev. 4, the Initial Preliminary Draft of its Guide to Operational Technology Security, a key document for OT (operational technology) environments. The move will incorporate lessons learned, align with relevant NIST guidance, such as Cybersecurity Framework (CSF) 2.0, NIST IR 8286 Rev. 1, NIST SP 800-53 Rev. 5.2.0, and OT cybersecurity standards and practices, to better address changes in the OT threat landscape.
CISA Product Categories for Technologies That Use Post-Quantum Cryptography Standards
In response to the June 6, 2025, Executive Order (EO) 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” the Cybersecurity and Infrastructure Security Agency (CISA) is providing and regularly updating the below lists to aid in post-quantum cryptography (PQC) adoption. The lists include hardware and software categories with example types of widely available products that use PQC standards to protect sensitive information.
Magic Links: Millions of people imperiled through sign-in links sent by SMS
Websites that authenticate users through links and codes sent in text messages are imperiling the privacy of millions of people, leaving them vulnerable to scams, identity theft, and other crimes.
To eliminate the hassle of collecting usernames and passwords—and for users to create and enter them—many such services instead require users to provide a cell phone number when signing up for an account. The services then send authentication links or passcodes by SMS when the users want to log in.
One practice that jeopardizes users is the use of links that are easily enumerated, meaning scammers can guess them by simply modifying the security token, which usually appears at the right of a URL. By incrementing or randomly guessing the token—for instance, by first changing 123 to 124 or ABC to ABD and so on—the researchers were able to access accounts belonging to other users.
Other links used so few possible token combinations that they were easy to brute force. Other examples of shoddy practices were links that allowed attackers who gained unauthorized access to access or modify user data with no other authentication other than clicking on a link sent by SMS. Many of the links provide account access for years after they were sent.
Of the 701 services, 125 allowed “mass enumeration of valid URLs due to low entropy.” Attackers who had received links from the same service could then easily modify the tokens they had to access other people’s accounts.
Overrun with AI slop, cURL scraps bug bounties to ensure “intact mental health”
The project developer for one of the Internet’s most popular networking tools is scrapping its vulnerability reward program after being overrun by a spike in the submission of low-quality reports, much of it AI-generated slop.
“We are just a small single open source project with a small number of active maintainers,” Daniel Stenberg, the founder and lead developer of the open source app cURL, said Thursday. “It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.”
Java Security Code Review: OWASP Patterns for Enterprise
[rG: Promotional article for Synopsys, but provides good explanation of why Source Code Analysis (SCA) tools provide valuable insights needed for Security Code Reviews.]
VENDORS & PLATFORMS
Surrender as a service: Microsoft unlocks BitLocker for feds
If you think using Microsoft's BitLocker encryption will keep your data 100 percent safe, think again. Last year, Redmond reportedly provided the FBI with encryption keys to unlock the laptops of Windows users charged in a fraud indictment. Microsoft "typically" backs up BitLocker keys to its servers when the service gets set up from an active Microsoft account. Microsoft provides the option to store keys elsewhere. Instead of selecting "Save to your Microsoft Account," customers can "Save to a USB flash drive," "Save to a file," or "Print the recovery key." But customers are encouraged to entrust keys to Microsoft because as long as they have access to the account online, they can recover the keys, effectively making Redmond their digital doorman. However, in such circumstances, customers no longer have total control over access to their data.
Signal creator Moxie Marlinspike wants to do for AI what he did for messaging
Confer is an open source AI assistant that provides strong assurances that user data is unreadable to the platform operator, hackers, law enforcement, or any other party other than account holders. Confer protects user prompts, AI responses, and all data included in them. And just like Signal, there’s no way to tie individual users to their real-world identity through their email address, IP address, or other details. The service—including its large language models and back-end components—runs entirely on open source software that users can cryptographically verify is in place.
Unbreakable? Researchers warn quantum computers have serious security flaws
Penn State warns that today’s quantum machines are not just futuristic tools, but potential gold mines for hackers. The study reveals that weaknesses can exist not only in software, but deep within the physical hardware itself, where valuable algorithms and sensitive data may be exposed.
Classical security methods cannot be used because quantum systems behave fundamentally differently from traditional computers, so we believe companies are largely unprepared to address these security faults.
Currently, there is no efficient way to verify the integrity of programs and compilers -- many of which are developed by third parties -- used by quantum computers at scale, which can leave users' sensitive corporate and personal information open to theft, tampering and reverse engineering.
Unwanted entanglement, known as crosstalk, can leak information or disrupt computing functions when multiple people use the same quantum processor.
[rG: Quantum computers are available now, primarily through cloud access (IBM, IonQ, Microsoft Azure, AWS) and some direct sales (D-Wave, SpinQ), being used for research in finance, medicine, and materials science – although universal use products are still anticipated to be several years away. Key players include IBM (System One/Two), D-Wave (annealers), IonQ (trapped-ion), Quantinuum (H-Series), and Atom Computing.]
Providers Evaluate Security as Updated HIPAA Compliance Looms
At the start of 2025, the U.S. Department of Health and Human Services proposed updated HIPAA security requirements that include mandatory data backup and recovery, encryption, multifactor authentication, network segmentation, real-time monitoring, regular security testing and anti-malware software.
CHIME organized a joint letter with more than 100 hospital systems, healthcare organizations and associations asking HHS to withdraw its proposed update and to collaborate with providers to develop a more practical, risk-based cybersecurity framework. “We strongly support improving cybersecurity across healthcare, but this proposal is overly prescriptive, requires a lot of documentation and is technically misaligned with how healthcare systems operate.”
It’s unclear what HHS will do. According to the agency’s latest unified agenda, it anticipates releasing a final rule in May 2026.
If you follow a good cybersecurity framework (NIST) and develop a program around general security, any regulation that comes out, you’re going to be OK.
ARTIFICIAL INTELLIGENCE
New Research Claims AI Agents Are Mathematically Doomed to Fail
A controversial research paper is throwing cold water on the AI industry's agent dreams. Published mid-2025, "Hallucination Stations: On Some Basic Limitations of Transformer-Based Language Models" claims to mathematically prove that large language models can't reliably handle complex computational and agentic tasks.
Authored by former SAP CTO Vishal Sikka and his teenage prodigy son, claims to prove that LLMs are fundamentally incapable of carrying out computational and agentic tasks beyond a certain complexity. Even reasoning models that go beyond pure word prediction won't fix the problem. "There is no way they can be reliable." The researcher, who studied under AI pioneer John McCarthy before his career at SAP, Infosys, and Oracle, now runs AI services startup Vianai.
His verdict on agents running critical systems like nuclear power plants?
Forget it. You might get one to file some papers and save time, but mistakes are inevitable.
What an AI-Written Honeypot Taught Us About Trusting Machines
We couldn’t find an open-source option that did exactly what we wanted, so we did what plenty of teams do these days: we used AI to help draft a proof-of-concept.
A few weeks later, something odd started showing up in the logs. Files that should have been stored under attacker IP addresses were appearing with payload strings instead, which made it clear that user input was ending up somewhere we didn’t intend. A closer inspection of the code showed what was going on: the AI had added logic to pull client-supplied IP headers and treat them as the visitor’s IP. This means the site visitor can easily spoof their IP address or use the header to inject payloads, which is a vulnerability we often find in penetration tests.
Why SAST Missed It: Detecting this particular flaw requires contextual understanding that the client-supplied IP headers were being used without validation, and that no trust boundary was enforced. It’s the kind of nuance that’s obvious to a human pentester, but easily missed when reviewers place a little too much confidence in AI-generated code.
Because the code wasn’t ours in the strict sense — we didn’t write the lines ourselves — the mental model of how it worked wasn’t as strong, and review suffered.
This wasn’t the only case where AI confidently produced insecure results. We used the Gemini reasoning model to help generate custom IAM roles for AWS, which turned out to be vulnerable to privilege escalation. Even after we pointed out the issue, the model politely agreed and then produced another vulnerable role. It took four rounds of iteration to arrive at a safe configuration. At no point did the model independently recognize the security problem – it required human steering the entire way.
At a minimum, we don’t recommend letting non-developers or non-security staff rely on AI to write code.
Amazon One Medical introduces agentic Health AI assistant for simpler, personalized, and more actionable health care
Available now to Amazon One Medical members in the One Medical app, the Health AI assistant provides 24/7 personalized health guidance grounded in each patient's unique medical history. And when clinical expertise is needed, the assistant seamlessly connects patients to their care team via messaging or by booking a same or next day appointment.
ChatGPT Health raises promise — and risks — for patients seeking medical advice
Around 40 million people turn to ChatGPT every day with a health question worldwide. OpenAI launched ChatGPT Health, a dedicated platform developed in collaboration with physicians to answer health-related questions.
ChatGPT Health and other generative models can help answer basic medical questions, like listing potential symptoms and predicting what may happen when they see the doctor. It can also be a helpful tool for translating a diagnosis or test results into everyday language or identifying potential abnormalities to better understand.
Problems arises when its predictions are incorrect. The model is designed to reinforce use by validating a person’s feelings, which can lead to real-world consequences depending on the advice it provides. OpenAI is currently facing a number of lawsuits filed by people who claimed their loved ones harmed themselves or died by suicide after interacting with ChatGPT.
RAG Systems in 5 Levels of Difficulty (With Full Code Implementation)
I’ve built RAG systems for internal docs, customer support, and compliance workflows. I rebuilt that system four times. Each rebuild fixed a specific failure mode I hadn’t anticipated. The gap between “works in demo” and “works in production” isn’t one thing. It’s five.
Naive RAG: The tutorial version. Breaks immediately on real queries.
Smart Chunking: How you split documents determines what you can retrieve.
Hybrid Search: When “semantically similar” isn’t the same as “actually relevant.”
Reranking: A second pass that catches what retrieval missed.
Production RAG: What happens when retrieval fails? Don’t let the LLM improvise.
LEGAL & REGULATORY
Europe's GDPR cops dished out €1.2B in fines last year as data breaches piled up
From 28 January 2025 to the present, Europe's data protection authorities received an average of 443 personal data breach notifications a day. That's up 22% on the year before.
On the enforcement side, Ireland once again dominates the tables, with aggregate fines issued by the Irish Data Protection Commission now reaching €4.04 billion since GDPR began, accounting for well over half of all fines issued across Europe during that period. France and Luxembourg are next in line, but a long way back, showing how much of GDPR enforcement is being driven by a small number of regulators.
Ireland also handed down the biggest single penalty of 2025, a €530 million fine against TikTok over unlawful international data transfers. That still wasn't enough to unseat the current record, set two years earlier when regulators hit Meta with a €1.2 billion sanction. Big tech remains the favorite target, with DLA Piper noting that nine of the ten largest GDPR fines on the books have landed there.
